Ceph is an open source, highly scalable, software defined storage that provides object, file and block interfaces under a unified system. Ceph Object Storage Gateway (RGW) provides a RESTful object storage interface to the Ceph Storage cluster. It provides an interface that is compatible with a large subset of AWS S3 APIs.

In this talk we discuss the implementation of a subset of the APIs of AWS Secure Token Service (STS). AWS STS is a web service which enables identity federation and cross-account access by providing temporary security credentials.

Ceph Object Storage Gateway now supports some APIs of AWS STS particularly related to web identity federation and cross-account access. The advantages of these temporary credentials are that they automatically expire after a certain duration, provide limited access (via IAM policies) to resources, are provided to the user upon request, and obviate the need for users/ applications to save permanent security credentials thereby removing a potential security loophole.

As an example consider a web application that has users and needs access to RGW S3 buckets to read/ write large files. The application can delegate identity management to a trusted third party identity provider(IDP). It can get temporary credentials from STS after authenticating with the IDP and access the required RGW S3 buckets.